{"id":13538627,"url":"https://github.com/cbeuw/cloak","last_synced_at":"2025-05-13T17:11:37.787Z","repository":{"id":38550041,"uuid":"158890222","full_name":"cbeuw/Cloak","owner":"cbeuw","description":"A censorship circumvention tool to evade detection by authoritarian state adversaries","archived":false,"fork":false,"pushed_at":"2025-04-23T14:46:19.000Z","size":1018,"stargazers_count":3563,"open_issues_count":136,"forks_count":317,"subscribers_count":65,"default_branch":"master","last_synced_at":"2025-04-25T14:50:33.268Z","etag":null,"topics":["censorship","censorship-circumvention","gfw","openvpn","pluggable-transports","proxy","shadowsocks","tor","vpn"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cbeuw.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2018-11-24T00:46:53.000Z","updated_at":"2025-04-24T13:43:57.000Z","dependencies_parsed_at":"2022-07-09T17:46:54.654Z","dependency_job_id":"ec84f9dd-806f-4bd6-b6b9-8d3c68965960","html_url":"https://github.com/cbeuw/Cloak","commit_stats":{"total_commits":650,"total_committers":13,"mean_commits":50.0,"dds":"0.055384615384615365","last_synced_commit":"97a03139bc89f92e4c3fa382cad1290e826d6877"},"previous_names":[],"tags_count":35,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cbeuw%2FCloak","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cbeuw%2FCloak/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cbeuw%2FCloak/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cbeuw%2FCloak/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cbeuw","download_url":"https://codeload.github.com/cbeuw/Cloak/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253990470,"owners_count":21995774,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["censorship","censorship-circumvention","gfw","openvpn","pluggable-transports","proxy","shadowsocks","tor","vpn"],"created_at":"2024-08-01T09:01:14.297Z","updated_at":"2025-05-13T17:11:32.770Z","avatar_url":"https://github.com/cbeuw.png","language":"Go","funding_links":["https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick\u0026hosted_button_id=SAUYKGSREP8GL\u0026source=url"],"categories":["\u003ca id=\"683b645c2162a1fce5f24ac2abfa1973\"\u003e\u003c/a\u003e漏洞\u0026\u0026漏洞管理\u0026\u0026漏洞发现/挖掘\u0026\u0026漏洞开发\u0026\u0026漏洞利用\u0026\u0026Fuzzing"],"sub_categories":["\u003ca id=\"9d1ce4a40c660c0ce15aec6daf7f56dd\"\u003e\u003c/a\u003e未分类-Vul"],"readme":"[![Build Status](https://github.com/cbeuw/Cloak/workflows/Build%20and%20test/badge.svg)](https://github.com/cbeuw/Cloak/actions)\n[![codecov](https://codecov.io/gh/cbeuw/Cloak/branch/master/graph/badge.svg)](https://codecov.io/gh/cbeuw/Cloak)\n[![Go Report Card](https://goreportcard.com/badge/github.com/cbeuw/Cloak)](https://goreportcard.com/report/github.com/cbeuw/Cloak)\n[![Donate](https://img.shields.io/badge/Donate-PayPal-green.svg)](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick\u0026hosted_button_id=SAUYKGSREP8GL\u0026source=url)\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"https://user-images.githubusercontent.com/7034308/96387206-3e214100-1198-11eb-8917-689d7c56e0cd.png\" /\u003e\n  \u003cimg src=\"https://user-images.githubusercontent.com/7034308/155593583-f22bcfe2-ac22-4afb-9288-1a0e8a791a0d.svg\" /\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"https://user-images.githubusercontent.com/7034308/155629720-54dd8758-ec98-4fed-b603-623f0ad83b6c.svg\" /\u003e\n\u003c/p\u003e\n\nCloak is a [pluggable transport](https://www.ietf.org/proceedings/103/slides/slides-103-pearg-pt-slides-01) that enhances\ntraditional proxy tools like OpenVPN to evade [sophisticated censorship](https://en.wikipedia.org/wiki/Deep_packet_inspection) and [data discrimination](https://en.wikipedia.org/wiki/Net_bias).\n\nCloak is not a standalone proxy program. Rather, it works by masquerading proxied traffic as normal web browsing\nactivities. In contrast to traditional tools which have very prominent traffic fingerprints and can be blocked by simple filtering rules,\nit's very difficult to precisely target Cloak with little false positives. This increases the collateral damage to censorship actions as\nattempts to block Cloak could also damage services the censor state relies on.\n\nTo any third party observer, a host running Cloak server is indistinguishable from an innocent web server. Both while\npassively observing traffic flow to and from the server, as well as while actively probing the behaviours of a Cloak\nserver. This is achieved through the use a series\nof [cryptographic steganography techniques](https://github.com/cbeuw/Cloak/wiki/Steganography-and-encryption).\n\nCloak can be used in conjunction with any proxy program that tunnels traffic through TCP or\nUDP, such as Shadowsocks, OpenVPN and Tor. Multiple proxy servers can be running on the same server host and\nCloak server will act as a reverse proxy, bridging clients with their desired proxy end.\n\nCloak multiplexes traffic through multiple underlying TCP connections which reduces head-of-line blocking and eliminates\nTCP handshake overhead. This also makes the traffic pattern more similar to real websites.\n\nCloak provides multi-user support, allowing multiple clients to connect to the proxy server on the same port (443 by\ndefault). It also provides traffic management features such as usage credit and bandwidth control. This allows a proxy\nserver to serve multiple users even if the underlying proxy software wasn't designed for multiple users\n\nCloak also supports tunneling through an intermediary CDN server such as Amazon Cloudfront. Such services are so widely used,\nattempts to disrupt traffic to them can lead to very high collateral damage for the censor.\n\n## Quick Start\n\nTo quickly deploy Cloak with Shadowsocks on a server, you can run\nthis [script](https://github.com/HirbodBehnam/Shadowsocks-Cloak-Installer/blob/master/Cloak2-Installer.sh) written by\n@HirbodBehnam\n\nTable of Contents\n=================\n\n* [Quick Start](#quick-start)\n* [Build](#build)\n* [Configuration](#configuration)\n    * [Server](#server)\n    * [Client](#client)\n* [Setup](#setup)\n    * [Server](#server-1)\n        * [To add users](#to-add-users)\n            * [Unrestricted users](#unrestricted-users)\n            * [Users subject to bandwidth and credit controls](#users-subject-to-bandwidth-and-credit-controls)\n    * [Client](#client-1)\n* [Support me](#support-me)\n\n## Build\n\n```bash\ngit clone https://github.com/cbeuw/Cloak\ncd Cloak\ngo get ./...\nmake\n```\n\nBuilt binaries will be in `build` folder.\n\n## Configuration\n\nExamples of configuration files can be found under `example_config` folder.\n\n### Server\n\n`RedirAddr` is the redirection address when the incoming traffic is not from a Cloak client. Ideally it should be set to\na major website allowed by the censor (e.g. `www.bing.com`)\n\n`BindAddr` is a list of addresses Cloak will bind and listen to (e.g. `[\":443\",\":80\"]` to listen to port 443 and 80 on\nall interfaces)\n\n`ProxyBook` is an object whose key is the name of the ProxyMethod used on the client-side (case-sensitive). Its value is\nan array whose first element is the protocol, and the second element is an `IP:PORT` string of the upstream proxy server\nthat Cloak will forward the traffic to.\n\nExample:\n\n```json\n{\n  \"ProxyBook\": {\n    \"shadowsocks\": [\n      \"tcp\",\n      \"localhost:51443\"\n    ],\n    \"openvpn\": [\n      \"tcp\",\n      \"localhost:12345\"\n    ]\n  }\n}\n```\n\n`PrivateKey` is the static curve25519 Diffie-Hellman private key encoded in base64.\n\n`BypassUID` is a list of UIDs that are authorised without any bandwidth or credit limit restrictions\n\n`AdminUID` is the UID of the admin user in base64. You can leave this empty if you only ever add users to `BypassUID`.\n\n`DatabasePath` is the path to `userinfo.db`, which is used to store user usage information and restrictions. Cloak will\ncreate the file automatically if it doesn't exist. You can leave this empty if you only ever add users to `BypassUID`.\nThis field also has no effect if `AdminUID` isn't a valid UID or is empty.\n\n`KeepAlive` is the number of seconds to tell the OS to wait after no activity before sending TCP KeepAlive probes to the\nupstream proxy server. Zero or negative value disables it. Default is 0 (disabled).\n\n### Client\n\n`UID` is your UID in base64.\n\n`Transport` can be either `direct` or `CDN`. If the server host wishes you to connect to it directly, use `direct`. If\ninstead a CDN is used, use `CDN`.\n\n`PublicKey` is the static curve25519 public key in base64, given by the server admin.\n\n`ProxyMethod` is the name of the proxy method you are using. This must match one of the entries in the\nserver's `ProxyBook` exactly.\n\n`EncryptionMethod` is the name of the encryption algorithm you want Cloak to use. Options are `plain`, `aes-256-gcm` (\nsynonymous to `aes-gcm`), `aes-128-gcm`, and `chacha20-poly1305`. Note: Cloak isn't intended to provide transport\nsecurity. The point of encryption is to hide fingerprints of proxy protocols and render the payload statistically\nrandom-like. **You may only leave it as `plain` if you are certain that your underlying proxy tool already provides BOTH\nencryption and authentication (via AEAD or similar techniques).**\n\n`ServerName` is the domain you want to make your ISP or firewall _think_ you are visiting. Ideally it should\nmatch `RedirAddr` in the server's configuration, a major site the censor allows, but it doesn't have to. Use `random` to randomize the server name for every connection made.\n\n`AlternativeNames` is an array used alongside `ServerName` to shuffle between different ServerNames for every new\nconnection. **This may conflict with `CDN` Transport mode** if the CDN provider prohibits domain fronting and rejects\nthe alternative domains.\n\nExample:\n\n```json\n{\n  \"ServerName\": \"bing.com\",\n  \"AlternativeNames\": [\"cloudflare.com\", \"github.com\"]\n}\n```\n\n`CDNOriginHost` is the domain name of the _origin_ server (i.e. the server running Cloak) under `CDN` mode. This only\nhas effect when `Transport` is set to `CDN`. If unset, it will default to the remote hostname supplied via the\ncommandline argument (in standalone mode), or by Shadowsocks (in plugin mode). After a TLS session is established with\nthe CDN server, this domain name will be used in the `Host` header of the HTTP request to ask the CDN server to\nestablish a WebSocket connection with this host.\n\n`CDNWsUrlPath` is the url path used to build websocket request sent under `CDN` mode, and also only has effect\nwhen `Transport` is set to `CDN`. If unset, it will default to \"/\". This option is used to build the first line of the\nHTTP request after a TLS session is extablished. It's mainly for a Cloak server behind a reverse proxy, while only\nrequests under specific url path are forwarded.\n\n`NumConn` is the amount of underlying TCP connections you want to use. The default of 4 should be appropriate for most\npeople. Setting it too high will hinder the performance. Setting it to 0 will disable connection multiplexing and each\nTCP connection will spawn a separate short-lived session that will be closed after it is terminated. This makes it\nbehave like GoQuiet. This maybe useful for people with unstable connections.\n\n`BrowserSig` is the browser you want to **appear** to be using. It's not relevant to the browser you are actually using.\nCurrently, `chrome`, `firefox` and `safari` are supported.\n\n`KeepAlive` is the number of seconds to tell the OS to wait after no activity before sending TCP KeepAlive probes to the\nCloak server. Zero or negative value disables it. Default is 0 (disabled). Warning: Enabling it might make your server\nmore detectable as a proxy, but it will make the Cloak client detect internet interruption more quickly.\n\n`StreamTimeout` is the number of seconds of Cloak waits for an incoming connection from a proxy program to send any\ndata, after which the connection will be closed by Cloak. Cloak will not enforce any timeout on TCP connections after it\nis established.\n\n## Setup\n\n### Server\n\n0. Install at least one underlying proxy server (e.g. OpenVPN, Shadowsocks).\n1. Download [the latest release](https://github.com/cbeuw/Cloak/releases) or clone and build this repo.\n2. Run `ck-server -key`. The **public** should be given to users, the **private** key should be kept secret.\n3. (Skip if you only want to add unrestricted users) Run `ck-server -uid`. The new UID will be used as `AdminUID`.\n4. Copy example_config/ckserver.json into a desired location. Change `PrivateKey` to the private key you just obtained;\n   change `AdminUID` to the UID you just obtained.\n5. Configure your underlying proxy server so that they all listen on localhost. Edit `ProxyBook` in the configuration\n   file accordingly\n6. [Configure the proxy program.](https://github.com/cbeuw/Cloak/wiki/Underlying-proxy-configuration-guides)\n   Run `sudo ck-server -c \u003cpath to ckserver.json\u003e`. ck-server needs root privilege because it binds to a low numbered\n   port (443). Alternatively you can follow https://superuser.com/a/892391 to avoid granting ck-server root privilege\n   unnecessarily.\n\n#### To add users\n\n##### Unrestricted users\n\nRun `ck-server -uid` and add the UID into the `BypassUID` field in `ckserver.json`\n\n##### Users subject to bandwidth and credit controls\n\n0. First make sure you have `AdminUID` generated and set in `ckserver.json`, along with a path to `userinfo.db`\n   in `DatabasePath` (Cloak will create this file for you if it didn't already exist).\n1. On your client, run `ck-client -s \u003cIP of the server\u003e -l \u003cA local port\u003e -a \u003cAdminUID\u003e -c \u003cpath-to-ckclient.json\u003e` to\n   enter admin mode\n2. Visit https://cbeuw.github.io/Cloak-panel (Note: this is a pure-js static site, there is no backend and all data\n   entered into this site are processed between your browser and the Cloak API endpoint you specified. Alternatively you\n   can download the repo at https://github.com/cbeuw/Cloak-panel and open `index.html` in a browser. No web server is\n   required).\n3. Type in `127.0.0.1:\u003cthe port you entered in step 1\u003e` as the API Base, and click `List`.\n4. You can add in more users by clicking the `+` panel\n\nNote: the user database is persistent as it's in-disk. You don't need to add the users again each time you start\nck-server.\n\n### Client\n\n**Android client is available here: https://github.com/cbeuw/Cloak-android**\n\n0. Install the underlying proxy client corresponding to what the server has.\n1. Download [the latest release](https://github.com/cbeuw/Cloak/releases) or clone and build this repo.\n2. Obtain the public key and your UID from the administrator of your server\n3. Copy `example_config/ckclient.json` into a location of your choice. Enter the `UID` and `PublicKey` you have\n   obtained. Set `ProxyMethod` to match exactly the corresponding entry in `ProxyBook` on the server end\n4. [Configure the proxy program.](https://github.com/cbeuw/Cloak/wiki/Underlying-proxy-configuration-guides)\n   Run `ck-client -c \u003cpath to ckclient.json\u003e -s \u003cip of your server\u003e`\n\n## Support me\n\nIf you find this project useful, you can visit my [merch store](https://www.redbubble.com/people/cbeuw/explore);\nalternatively you can donate directly to me\n\n[![Donate](https://img.shields.io/badge/Donate-PayPal-green.svg)](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick\u0026hosted_button_id=SAUYKGSREP8GL\u0026source=url)\n\nBTC: `bc1q59yvpnh0356qq9vf0j2y7hx36t9ysap30spx9h`\n\nETH: `0x8effF29a8F9bD38A367580527AC303972c92b60c`\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcbeuw%2Fcloak","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcbeuw%2Fcloak","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcbeuw%2Fcloak/lists"}